Managing ldap block in a dual-provider environment

Summary

https://gitlab.zendesk.com/agent/tickets/95943

This customer reported two users were unable to login to GitLab, with the following error:

Processing by OmniauthCallbacksController#ldapsecondary as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.name", "password"=>"[FILTERED]", "remember_me"=>"1"}
LDAP search error: No Such Object
Redirected to http://<hostname>/users/auth/ldapsecondary/omniauth_error?error=State+cannot+transition+via+%22ldap+block%22
Completed 302 Found in 524ms (ActiveRecord: 24.5ms | Elasticsearch: 0.0ms)
Started GET "/users/auth/ldapsecondary/omniauth_error?error=State+cannot+transition+via+%22ldap+block%22" for 172.16.103.7 at 2018-05-08 10:08:02 -0400
Processing by OmniauthCallbacksController#omniauth_error as HTML
  Parameters: {"error"=>"State cannot transition via \"ldap block\"", "provider"=>"ldapsecondary"}

They had two ldap servers configured: ldapmain and ldapsecondary.

The users who could not log in did exist in ldapsecondary. Upon examining their identities, we found they had identities associated with their accounts in both ldapmain and ldapsecondary. But they were apparently removed from ldapmain, causing them to be "ldap block"ed by the regular user sync. After removing the ldapmain identity from their accounts, they were able to log in successfully.

What is the expected correct behavior?

ldap block should be reset when the user logs in successfully via ldap